search

Mirket MFA Agent for Debian

Mirket OS Agent enables Multi-Factor Authentication (MFA) for:

  • SSH access

  • Privilege elevation (sudo/su)

  • Local Debian login

Authentication can be performed via Mirket Push, or by entering a Passcode (TOTP, Mirket token, Offline code, or Recovery code).

hashtag
📥 1. Download the Agent

wget https://mirketosagentubuntu.s3.eu-west-2.amazonaws.com/LinuxOSAgent.tar.gz

hashtag
⚙️ 2. Install the Agent

Make the installation scripts executable:

tar -xzvf LinuxOSAgent.tar.gz
cd LinuxOSAgent/
sudo chmod +x ./debian_install_mirket.sh
sudo chmod +x ./uninstall_mirket.sh

First, check the server time:

date

If the time is not correct, verify that systemd-timesyncd is active:

If the service is not running, enable and start it:

Then, force a time synchronization:

This will ensure the system clock is updated automatically.

Once the time is correct, proceed with the installation script.

Run the installer with elevated privileges:

hashtag
🔑 3. Offline Code Setup

During installation, you'll be prompted to generate and verify an Offline Code:

  • A QR code and a secret key (Base32) will be shown.

  • Enter the corresponding Offline Code to verify.

  • This code will be used if the device is offline.

Example:

hashtag
🌐 4. Enter Admin URL and API Key

When prompted:

  • Enter your Mirket admin URL (default is: https://admin.mirketsecurity.com)

  • Paste the API Key generated from the Mirket Admin Portal.

hashtag
🙋‍♂️ 5. Configure Bypass Users (Optional)

During setup, you can define users who can bypass MFA (e.g., for emergency or monitoring accounts).

Example input:

hashtag
🔐 6. Authentication Test

hashtag
SSH Login

  • 1 triggers a Mirket Push notification to your mobile device.

  • You can also enter a passcode manually.

hashtag
Sudo/Privilege Elevation

Supported Passcode Types:

  • Mirket token

  • TOTP (Time-based One-Time Password)

  • Offline code

  • Recovery code

🧹 7. Uninstalling the Agent

To remove the Mirket OS Agent completely:

This will:

  • Remove all related binaries

  • Clean PAM configurations

  • Restore SSH settings

hashtag
🚀 Enabling Passwordless MFA with Mirket PAM Module

This guide explains how to configure SSH login and privileged commands (sudo) to enforce passwordless Multi-Factor Authentication (MFA) using the pam_mirket_authenticator.so module. By adjusting the PAM configuration only—without modifying the sshd_config file—you achieve a secure and streamlined authentication flow.

hashtag
🎯 Objective

To enforce Mirket MFA as the sole authentication method for:

  • SSH login

  • sudo and other PAM-based elevated actions

while fully disabling traditional password or public key authentication.

Open the common-auth PAM configuration file:

Comment out the default authentication modules by placing # at the beginning of the following lines:

Then add or ensure the Mirket MFA module is the only active authentication rule:

📌 This ensures that PAM no longer checks the system password, and only relies on Mirket’s authenticator.

hashtag
✅ Post-Installation Notes

  • PAM configuration updated: auth required /lib/x86_64-linux-gnu/security/pam_mirket_authenticator.so nullok

  • SSH setting KbdInteractiveAuthentication is enabled

  • Mirket Agent supports interactive MFA prompts across terminal and GUI login (Ubuntu Login Screen)

PreviousMirket MFA Agent for Redhat - CentrifyDCNextMirket MFA Agent for SUSE

Last updated